Control over online data rests with companies

Consumers' only option for privacy is often logging off

Published 10:00 pm, Sunday, October 15, 2006

NEW YORK -- If you don't like what your favorite Internet search engine or e-commerce site does with information it collects about you, your options are limited to living with it or logging off.

Major search engines, for instance, all keep records of your searches for weeks, months or even years, often tied to your computer's Internet address or more. Retailers, meanwhile, generally presume the right to send marketing e-mails.

Latest business videos

"None of them have gotten to the point of giving a lot of controls in users' hands," said Ari Schwartz, deputy director of the technology watchdog group Center for Democracy and Technology. Privacy policies "are about notice ... not about control."

But the push for stronger federal protections is countered by Attorney General Alberto Gonzales' desire to require Internet providers to preserve customer records to help prosecutors fight child pornography. Gonzales' office has released few details, though it says any proposal would keep the data in company hands until the government seeks a subpoena or other lawful process.

Federal law already limits how personal financial and health care data may be used, but U.S. privacy laws are generally considered weak compared with those in Europe and Canada.

Industry groups have stepped in with guidelines that go beyond legal requirements.

One group, Truste, requires member companies such as AOL and Yahoo Inc. to give consumers a way to decline to share personally identifiable information with outside parties. Companies also must disclose any use of tracking technology and specify personal information collected and how it is used.

"The fact that we don't license every person on the Internet gives consumers (the ability) to shop around," said John Tomaszewski, Truste's vice president for legal, policy and compliance. "We've got folks out there engaging in a higher standard than what is normally required."

Some companies go even further.

E-Loan Inc. customers worried about safeguards when data is outsourced to India can choose to have loan applications processed domestically, though loans in such cases take two additional days to close.

Mark Lefanowicz, E-Loan's president, said about 80 percent of customers have agreed to outsourcing, and he said choice pre-empted any backlash.

"They have the right to deal with us under their terms," he said. "If we just disclosed we used an overseas provider, for a lot of customers it's irritating to them."

Comcast Corp., meanwhile, gives customers a range of options on how long its servers keep e-mail, while a small search engine called Ixquick promises to purge data within 48 hours.

In other cases, companies have responded to a backlash from customers. When Facebook recently allowed easier tracking of changes their friends make to personal profile pages, users threatened boycotts and forced the company to apologize and offer more privacy controls.

But such cases are rare. Consumers generally haven't demanded better privacy options the way they shop around for better prices or ease of use, said Carl Malamud, senior fellow at Center for American Progress, a liberal think tank.

"As a consumer I don't choose based on practices for privacy," he said. "I choose based on functionality, and many consumers do the same."

So Google Inc. remains the leading search engine, even though it won't say how long it keeps data on what people search for.

Like other companies, Google says such information is helpful in improving services and fighting computer attacks and fraud.

Many companies already restrict data sharing on their own but stop short of a total purge.

"There is such a mantra built around the information economy and how valuable the information is ... that companies don't want to give that up," the CDT's Schwartz said.

Lauren Gelman, associate director of Stanford Law's Center for Internet and Society, said companies may not need all the data today, but they don't want to limit their options, either.

She and others worry that keeping data longer than necessary could lead to abuse.

Already, many companies have acknowledged data breaches from Web site hacks or stolen laptops. And this summer, an AOL researcher released three months' of search terms on more than 650,000 subscribers without clearing it with superiors.

Jason Catlett, founder of the privacy group Junkbusters Corp., said individuals ought to have more opportunity to see, edit and delete records companies have on them.

"There's still a lot of diversity in information practices," he said, "but there has been a convergence to what the average person would consider too low a standard."